1. Field of the Invention
This invention relates to processing web service messages, and particularly to techniques for efficiently processing security information in web service messages containing a requests for destination web service applications.
2. Description of Background
Web services are self-contained, self-describing, modular applications that can be described, located, and invoked over a computer network such as the World Wide Web. Web services utilize standardized interfaces and protocols (for example, a Web Application Programming Interface (API)) to implement integration methods that allow different entities or web-based applications to communicate data, logic, and processes with one another over a network. Furthermore, these standardized methods permit different applications to exchange resources with other entities or applications that are running on different operating systems.
Web services generally rely on open, industry standards that include, for example, XML (extensible markup language), SOAP, WSDL (Web service description language), and UDDI (universal description, discovery, and integration). XML provides a general, data model-oriented framework for the development and storage of application-specific languages and information that can be represented as a tree-based data structure. SOAP is an XML-based, extensible message envelope format that is used to transfer resources over particular transport protocols such as HTTP, SMTP, and FTP. A SOAP message (also referred to as a SOAP envelope) includes a header and a body of tagged data expressed as an XML listing. WSDL is used to describe what a web service offers, and UDDI is a registry listing available web services, which uses WSDL as a language.
As the use of web services has continued to increase, concerns regarding the integrity, confidentiality, and authenticity of transferred messages have led to the development and continuing evolution of security specifications for web services. WS-Security (Web Services Security) provides an evolving industry standard for securing a web service that defines a SOAP header element to carry security-related data. WS-Security specifies how one would embed the security information laid out by other specifications within a SOAP message, as well as how to attach security tokens. For instance, if XML Signature is used in a WS-Security header element, this header can contain the information defined by XML Signature that conveys how the message was signed, the key that was used, and the resulting signature value. Likewise, if an element within the body of the message is encrypted, the encryption information such as that conveyed by XML Encryption can be contained within the WS-Security header element.
Generally, upon receiving a web service message, an application will process the data using object-oriented APIs to create some form of internal representation of the message's contents. For example, XML parsers such as Document Object Model (DOM) and Simple API for XML (SAX) may be used to process XML listings. DOM parsers provide an interface-oriented API that allows for navigation of the entire document by transforming it into a tree structure of “node”-type objects and branches representing the document's contents. SAX parsers function as a streaming push parser with an event-driven API in which user defines a number of callback methods that will be called when events occur during parsing.
Tree-based parsers like DOM must read the entire document into memory before any processing can begin, so the amount of memory used by such a parser is a performance issue, particularly because an in-memory parse tree tends be several times larger than the document it models. For this reason, the inventors herein have recognized that using a tree-based parser for processing web service security information can be inefficient. For example, the processes of validating and canonicalizing XML messages both require inefficient traversing of the parse tree, and the process of decrypting messages requires the generation of a second parse tree for the decrypted data and discarding of the first parse tree for the pre-description data.
Event-based parsers like SAX are unidirectional; thus, previously parsed data cannot be read again without starting the parsing operation again. For this reason, the inventors herein have recognized that using an event-based parser for web service security processing can also be inefficient. For example, certain kinds of XML security processing may require information from any already-parsed part at any time in the parsed XML message, and the determination of the required part may be dictated by the content of a later event. In the case, the application would need to inefficiently record all of the previously parsed information.